Process Tracking Emails

8 posts Page 1 of 1
IsraelPaya67
Junior Member
Posts: 2
Joined: 23 Sep 2015, 07:38


I have several websites made in WordPress. WordPress try to update itself regularly. When it happens, I received an email from the server for every website of this type:

Time: Tue Sep 22 08:30:35 2015 +0200
PID: 5733 (Parent PID:3407)
Account: userxxx
Time active: 76 seconds
Executable:
/usr/bin/php
Command line (often misrepresented exploits):
/usr/bin/php /home/userxxx/public_html/wp-cron.php
Network connections of the process (if any):
tcp: 37.187...

How can I avoid receiving these emails?

Thank you so much.

Regards.
maever
Junior Member
Posts: 12
Joined: 21 Jan 2009, 12:00


Hello IsraelPaya67,

One solution would be adding the commandline (with a wildcard) of the script in question to the csf.pignore file such as the below example:
Code: Select all
pcmd:/usr/bin/php /home/.*/public_html/wp-cron.php
hope it helps :)
IsraelPaya67
Junior Member
Posts: 2
Joined: 23 Sep 2015, 07:38


Fantastic. Thank you so much for your support!
Best regards.
cglmicro
Junior Member
Posts: 12
Joined: 16 Apr 2017, 15:30


It's not working for me with the wildcard.
Here is my /etc/csf/csf.pignore file (only a few lines of it):
Code: Select all
cmd:/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/.*/public_html/wp-cron.php
cmd:/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/.*/public_html/wp-admin/admin-ajax.php
I did RESTART CSF+LFD when asked, and I still receive these emails:
Code: Select all
Time:    Sun Apr 16 10:44:00 2017 -0400
PID:     20892 (Parent PID:15283)
Account: fakeusername
Uptime:  167 seconds


Executable:

/opt/cpanel/ea-php56/root/usr/bin/php-cgi


Command Line (often faked in exploits):

/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/fakeusername/public_html/wp-admin/admin-ajax.php


Network connections by the process (if any):

tcp: 108.163.xxx.xxx:41141 -> 108.163.xxx.xxx:80
I also tried with a wildcard * instead of .* but same result. Any suggestion?
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


Add just the following line to csf.pignore:
exe:/usr/bin/php

That will work.
cglmicro
Junior Member
Posts: 12
Joined: 16 Apr 2017, 15:30


I saw this answer in another thread, and it bring another question: This line won't ignore every alerts regarding PHP scripts, or just affect this single alert ?
Sergio
Junior Member
Posts: 1366
Joined: 12 Dec 2006, 14:56


@cglmicro,
That line helps php to run, chances are that another customers will trigger the same.

On the other hand, on the first post was:
Executable:
/usr/bin/php

But in your post you wrote:
Executable:
/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Both are completely different approaches.

So, for your particular case you should add the following line in csf.pignore:
exe:/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Sergio
cglmicro
Junior Member
Posts: 12
Joined: 16 Apr 2017, 15:30


Thank you, I just added
exe:/opt/cpanel/ea-php56/root/usr/bin/php-cgi
8 posts Page 1 of 1